"hdr" has been copied in from user space and "hdr.opcode" is checked. The code copies it again. User space data between the two copies is subject to modification if the user-space code is multithreaded and malicious. The modification may invalidate the check. The fix avoids copying the header from user space again.
Signed-off-by: Kangjie Lu <k...@umn.edu> --- fs/coda/psdev.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fs/coda/psdev.c b/fs/coda/psdev.c index fb4d1c654773..248d21f84b54 100644 --- a/fs/coda/psdev.c +++ b/fs/coda/psdev.c @@ -174,7 +174,10 @@ static ssize_t coda_psdev_write(struct file *file, const char __user *buf, hdr.opcode, hdr.unique); nbytes = req->uc_outSize; /* don't have more space! */ } - if (copy_from_user(req->uc_data, buf, nbytes)) { + *((struct coda_in_hdr *)req->uc_data) = hdr; + if (copy_from_user(req->uc_data + sizeof(hdr), + buf + sizeof(hdr), + nbytes - sizeof(hdr))) { req->uc_flags |= CODA_REQ_ABORT; wake_up(&req->uc_sleep); retval = -EFAULT; -- 2.17.2 (Apple Git-113)